250 likes | 402 Views
HIPAA Week 3. The Security Rule. The Security Rule (SR) deals with ONLY electronic Protected Health Information ( ePHI ), which is essentially a subset of what the Privacy Rule encompasses (includes oral, hard copy and electronic PHI). Security Rule.
E N D
HIPAA Week 3 The Security Rule
The Security Rule (SR) deals with ONLY electronic Protected Health Information (ePHI), which is essentially a subset of what the Privacy Rule encompasses(includes oral, hard copy and electronic PHI) Security Rule
To ensure reasonable and appropriate administrative, technical, and physical safeguards that insure the integrity, availability and confidentiality of health care information, and protect against reasonably foreseeable threats to the security or integrity of the information. Goal of Security Rule
Both external and internal threats Prevention of denial of service Theft of private information Integrity of information Focus of Security Rule
Security protections are “reasonable and appropriate” Foundation
Are separated into three groups: Administrative Safeguards Physical Safeguards Technical Safeguards The Standards…
Ensure: Confidentiality (only the right people see it) Integrity (the information is what it is supposed to be – it hasn’t been changed) Availability (the right people can see it when needed) General Requirementsof the Standards…
1. Administrative Procedures 2. Physical Safeguards 3. Technical data security services 4. Technical security mechanisms Rule has 4 categories
Administrative Procedures: 12 Requirements • 1. Certification • 2. Chain of Trust Agreements • 3.Contingency Plan • 4. Mechanism for processing records • 5. Information Access Control • 6. Internal Audit • 7. Personnel Security • 8. Security configuration Management • 9. Security Incident Procedures • 10. Security Management • 11. Termination Procedures • 12. Training
1. Assigned Security Responsibility 2. Media Controls 3. Physical Access Controls 4. Policy on Workstation Use 5. Secure Workstation Location 6. Security Awareness Training Physical Safeguards: 6 Requirements
1. Access Control 2. Audit Controls 3. Authorization Control 4. Data Authentication 5. Entity Authentication Technical Data Security Services: 5 Requirements
1. Protections for health information transmitted over open networks via: • Integrity controls, and • Message authentication, and • Access controls OR encryption Technical Security Mechanism: 1 Requirement
The new Privacy requirements apply if all of the following are present in a Privacy Event: • •There is a “Breach.” The Rule defines “Breach” to mean (subject to certain exceptions) the unauthorized acquisition, access, use, or disclosure of protected health information (“PHI”). • •The PHI is “unsecured.” The Rule defines “unsecured protected health information” to mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by HHS guidance. • •The Breach “compromises the security of the PHI.” Under the Rule, this occurs when there is a significant risk of financial, reputational, or other harm to the individual who’s PHI has been compromised. New rules for Breaches
Prior to HITECH Act, no mandated reporting to outside authorities Since HITECH: notifications are mandatory for breach of unsecured ePHI Notification of Breaches
OCR received 7,116 complaints in 2009, a sharp decline from the 8,526 received in 2008 and 8,174 received in 2007. In 2006, OCR received 7,334 complaints. Breaches
Incidental disclosure of individually identifiable health information Lack of adequate safeguards Not providing a copy of records to patients Disclosure of more than necessary information Failure to give notice of privacy practice Primary reasons for the violations
Notification to Individuals. • A covered entity must send the required notification to each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of the Breach, without unreasonable delay. • Must be in plain reasonable language • If patient is deceased, must notify next of kin. Notification Guidelines:
Notification to Media. If a covered entity discovers a Breach affecting 500 or more residents of a state or jurisdiction, it must provide notice to prominent media outlets serving that state or jurisdiction without unreasonable delay Notification Guidelines:
Notification to HHS. If 500 or more individuals are involved in the Breach, then the covered entity must notify HHS concurrently with the individual notifications. • HHS (through the HHS enforcement agency; The Office of Civil Rights or ‘OCR’) requires annual notification for Breaches involving less than 500 individuals per Event annually Notification Guidelines:
Enforcement and Penalties begins February 2010 Projected to be increased enforcement from OCR In the past CMS (Centers for Medicare and Medicaid Services) has enforced HIPAA Security Rules while OCR has handled Privacy Rule compliance. Enforcement
Now: Privacy and Security enforcement will be combined under one agency (OCR). This will eliminate duplication of work and increase efficiency according to the HHS Secretary. Another significant enforcement change is that under HITECH State Attorney Generals can now bring actions for Privacy violations in federal court. Enforcemnetcon’t
The “Stimulus Act” requires that within the next three years regulations are passed that will allow individual victims of a HIPAA violation to receive a percentage of any monetary penalty collected from the offense. • This monetary incentive could significantly increase the number of HIPAA complaints brought by individuals. New rule
Implement the necessary safeguards • Perform a risk analysis • Risk management • Ensure policies are in place Stay attuned to deadlines and changes in the law! implementation
Development and documentation of policies and procedures Designation of a privacy official Identifying and contracting with business associates Development of patient consent and authorization forms Distributing and updating notice of privacy practices and associated procedures Development and distribution of patient notice Capturing, tracking, and maintaining history of data disclosures Tracking and resolving individual complaint Training workforce members who have access to patient identifiable information Altering the oral communication culture of the organization Key Impacts of HIPAA" include
McLendon, K. (nd). HIPAA Privacy Summary, http://www.hixperts.com/HIX%20HIPAA%20Summary%20(01%2026%2010).pdf Graham, D., & Stubbs, (2009). Significant HIPAA Modifications in the American Recovery and Reinvestment Act of 2009. Available from: http://www.dgslaw.com/documents/articles/HIPAA_Stimulus09_893166.html Leyva, D, & Leyva, C.(nd). HITECH Survival Guide. Available from: http://www.hipaasurvivalguide.com/hipaa-survival-guide-16.php References: